Analysis
-
max time kernel
153s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 17:59
Static task
static1
Behavioral task
behavioral1
Sample
dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe
Resource
win7-en-20211208
General
-
Target
dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe
-
Size
139KB
-
MD5
96f38dc9816140fc3f63e540e9d9292e
-
SHA1
0415d5a89e15fe9dda8454abec351897adaf866a
-
SHA256
dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006
-
SHA512
8b1ac503d48d27106641fb57040759794b6488c6ba58fb742fd9ab87a6d6e51637b3de04e2ccaf593747d763d34703d957a07c325e9d5ac9b1ac39539e4a0186
Malware Config
Extracted
C:\GXXKGYVJIQ-DECRYPT.txt
http://gandcrabmfe6mnef.onion/771262d8184cfe00
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
suricata: ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExitExport.tif => C:\Users\Admin\Pictures\ExitExport.tif.gxxkgyvjiq dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Users\Admin\Pictures\PopInitialize.tiff dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File renamed C:\Users\Admin\Pictures\PopInitialize.tiff => C:\Users\Admin\Pictures\PopInitialize.tiff.gxxkgyvjiq dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File renamed C:\Users\Admin\Pictures\RequestClear.tif => C:\Users\Admin\Pictures\RequestClear.tif.gxxkgyvjiq dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File renamed C:\Users\Admin\Pictures\CopySkip.png => C:\Users\Admin\Pictures\CopySkip.png.gxxkgyvjiq dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exedescription ioc process File opened (read-only) \??\P: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\W: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\Z: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\A: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\G: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\K: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\R: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\Q: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\S: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\T: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\U: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\F: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\H: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\M: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\N: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\V: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\X: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\Y: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\L: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\O: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\B: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\E: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\I: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened (read-only) \??\J: dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe -
Drops file in Program Files directory 45 IoCs
Processes:
dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exedescription ioc process File opened for modification C:\Program Files\OutDismount.mpeg3 dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\ReceiveRead.docx dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\RedoTest.rar dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\RenameUnpublish.m4v dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\ShowConnect.xla dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\UndoPush.pot dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\DenyPush.wmx dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\DisableUndo.jtx dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\184cf9e3184cfe07214.lock dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\184cf9e3184cfe07214.lock dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\AddGrant.svg dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\HideProtect.3g2 dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\MoveCompress.rar dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\ProtectUnlock.reg dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File created C:\Program Files\GXXKGYVJIQ-DECRYPT.txt dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File created C:\Program Files\184cf9e3184cfe07214.lock dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\ConvertSwitch.sql dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\GXXKGYVJIQ-DECRYPT.txt dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\PushHide.ADT dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\RestartRedo.vb dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\StopSend.wm dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\GXXKGYVJIQ-DECRYPT.txt dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\DebugDisable.ttc dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\EnterRename.ppt dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\RemoveRepair.xla dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\SkipBlock.htm dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\UpdateResume.rm dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\DebugUpdate.bin dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\MountDismount.wdp dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\MergeShow.csv dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\ResetDeny.m4v dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\StartCheckpoint.ps1 dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\StopStep.M2TS dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\UnregisterResume.otf dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File created C:\Program Files (x86)\184cf9e3184cfe07214.lock dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\ConvertFromUnregister.xltm dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\GrantExpand.ppsx dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\184cf9e3184cfe07214.lock dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\FindSubmit.7z dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\GXXKGYVJIQ-DECRYPT.txt dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\RestartPop.ps1xml dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\SetRead.dxf dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File created C:\Program Files (x86)\GXXKGYVJIQ-DECRYPT.txt dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\CompleteUse.vstx dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe File opened for modification C:\Program Files\EnableRead.rle dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exepid process 1752 dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe 1752 dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1216 wmic.exe Token: SeSecurityPrivilege 1216 wmic.exe Token: SeTakeOwnershipPrivilege 1216 wmic.exe Token: SeLoadDriverPrivilege 1216 wmic.exe Token: SeSystemProfilePrivilege 1216 wmic.exe Token: SeSystemtimePrivilege 1216 wmic.exe Token: SeProfSingleProcessPrivilege 1216 wmic.exe Token: SeIncBasePriorityPrivilege 1216 wmic.exe Token: SeCreatePagefilePrivilege 1216 wmic.exe Token: SeBackupPrivilege 1216 wmic.exe Token: SeRestorePrivilege 1216 wmic.exe Token: SeShutdownPrivilege 1216 wmic.exe Token: SeDebugPrivilege 1216 wmic.exe Token: SeSystemEnvironmentPrivilege 1216 wmic.exe Token: SeRemoteShutdownPrivilege 1216 wmic.exe Token: SeUndockPrivilege 1216 wmic.exe Token: SeManageVolumePrivilege 1216 wmic.exe Token: 33 1216 wmic.exe Token: 34 1216 wmic.exe Token: 35 1216 wmic.exe Token: SeIncreaseQuotaPrivilege 1216 wmic.exe Token: SeSecurityPrivilege 1216 wmic.exe Token: SeTakeOwnershipPrivilege 1216 wmic.exe Token: SeLoadDriverPrivilege 1216 wmic.exe Token: SeSystemProfilePrivilege 1216 wmic.exe Token: SeSystemtimePrivilege 1216 wmic.exe Token: SeProfSingleProcessPrivilege 1216 wmic.exe Token: SeIncBasePriorityPrivilege 1216 wmic.exe Token: SeCreatePagefilePrivilege 1216 wmic.exe Token: SeBackupPrivilege 1216 wmic.exe Token: SeRestorePrivilege 1216 wmic.exe Token: SeShutdownPrivilege 1216 wmic.exe Token: SeDebugPrivilege 1216 wmic.exe Token: SeSystemEnvironmentPrivilege 1216 wmic.exe Token: SeRemoteShutdownPrivilege 1216 wmic.exe Token: SeUndockPrivilege 1216 wmic.exe Token: SeManageVolumePrivilege 1216 wmic.exe Token: 33 1216 wmic.exe Token: 34 1216 wmic.exe Token: 35 1216 wmic.exe Token: SeBackupPrivilege 1504 vssvc.exe Token: SeRestorePrivilege 1504 vssvc.exe Token: SeAuditPrivilege 1504 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exedescription pid process target process PID 1752 wrote to memory of 1216 1752 dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe wmic.exe PID 1752 wrote to memory of 1216 1752 dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe wmic.exe PID 1752 wrote to memory of 1216 1752 dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe wmic.exe PID 1752 wrote to memory of 1216 1752 dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe"C:\Users\Admin\AppData\Local\Temp\dbb88de4201933bdb099b21f91786be636b6e4486765f023abd3319300ed0006.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1752-54-0x0000000076911000-0x0000000076913000-memory.dmpFilesize
8KB